A (0:01)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack with wired, wireless and cellular all in one integrated solution that's built for performance and scale. You can find them at meter.com CST react to shell attacks keep accelerating as automated exploitation spreads Black Force Phishing Kit bypasses MFA with browser attacks, Consent Fix attack steals Microsoft OAuth access without passwords or MFA and Shiny Hunters is back with stolen info from pornhub. This is Cybersecurity Today and I'm your host Jim Love with my last regular news edition before the holiday. The React to Shell vulnerability just keeps getting worse what started as a critical remote code execution flaw in React server components has now turned into a rapidly expanding exploitation campaign. The Vulnerability, tracked as CVE2025 555182, allows attackers to run arbitrary code on vulnerable servers using a single unauthenticated HTTP request. It carries a CVSS score of 10.0, the highest possible severity, and the flaw sits in the flight protocol used by React server components and affects popular frameworks, including Next JS and other React based server implementations. Because it relies on unsafe deserialization, attackers don't need credentials, user interaction, or even prior access. If the service is exposed to the Internet and it's unpatched, it's effectively open. What's changed in the past several days is the scale and sophistication security researchers are now seeing. Sustained automated scanning combined with active post exploitation attacks have moved beyond proof of concept testing into real deployments of crypto miners, backdoors, remote shells, and tunneling tools. With some campaigns clearly focused on persistence rather than smash and grab abus, the number of exposed systems remains alarmingly high. Researchers estimate that well over 100,000 Internet facing endpoints are still vulnerable, giving attackers a large and constantly refreshed target pool. And that's why this keeps growing. Scanners don't stop and every unpatched server becomes the next easy win. CISA has now added React Cachel to its known Exploited vulnerabilities catalog, signaling that exploitation is very real and widespread. Patching is no longer a best practice recommendation. It's an emergency response web application. Firewalls can help, but they're not a substitute for updating the affected frameworks. And Vercel Labs has a tool that they say is one command to fix the next JS problem. Fix React to Shell Next you may want to check it out. React to Shell is a textbook example of how modern supply chain vulnerabilities behave. Once exploitation is automated. Time stops being measured in days or even hours. If a production react server is still unpatched and attackers are looking at it, it's not probably about how they should exploit it. They probably have already launched the attack. A new professional grade phishing toolkit called Black Force is shaking up credential theft campaigns by combining classic login capture with sophisticated man in the browser techniques that let attackers bypass multi factor authentication. First spotted in August of 2025 but now actively distributed on underground forums for less than $500, Black Force lets threat actors serve realistic fake login pages for major brands and then silently intercept credentials and one time codes in real time. Once a victim lands on a phishing page, the kit's JavaScript captures the username and password and immediately relays them through an automated control panel. Blackforce then injects fake MFA prompts directly into the user's browser, capturing one time authentication codes that are used moments later to complete a legitimate login. This renders many common MFA methods ineffective. Analysts from Zscaler Threat Labs report that at least five versions of Black Force are in the wild, with ongoing upgrades that improve evasion and persistence. The tool's anti analysis filters block security crawlers and scanners, making detection and research harder. It's been used to spoof login portals for brands including Disney, Netflix, DHL and ups, showing real world reach across consumer and enterprise targets. By combining live credential capture with on the fly MFA interception inside the browser session, it collapses that last line of authentication defense in all too many environments. Microsoft is warning users about a growing wave of account takeovers that don't rely on stolen passwords or broken multi factor authentication at all. Instead, attackers are abusing OAuth consent. They're tricking users into approving malicious apps that gain long term access to their Microsoft accounts. In these attacks, victims receive what appears to be a legitimate Microsoft security message warning of suspicious activity. When the user follows the prompt, they're led through a consent screen that looks routine, the same type of screen many people click through when connecting apps to Microsoft 365 Outlook or Azure Active Directory. By approving it, the user grants the attackers app permission to access email files, contacts, or even account data. Because the access is granted through Microsoft's own OAuth framework, passwords MFA and even pass keys remain intact. The malicious app receives a valid access token and can continue operating until the consent is revoked, often silently and for weeks or months. And that's what makes this especially dangerous in enterprise environments, Microsoft says legitimate security alerts will never ask users to approve a new app or grant permissions to resolve an account issue. Any unexpected consent request should be treated as hostile. Users and administrators are advised to regularly review enterprise applications and app registrations in Microsoft Entra ID and remove any apps they don't explicitly recognize. Adult video platform pornhub is being extorted by the Shiny Hunters cybercrime group after the search and viewing history of premium users was allegedly stolen and threatened with public release. Pornhub says the data exposure stems from a breach at analytics provider Mixpanel, not pornhub's own systems. In a security notice posted Friday, the company said the incident affects only a subset of premium users and that passwords, payment details and financial information were not exposed. Pornhub also says it stopped working with Mixpanel in 2021, indicating the data involved may be historic historical According to Shiny Hunters, the stolen Data set totals 94 gigabytes and contains more than 200 million records of premium member activity. The group claims the data includes email addresses, video titles, URLs, keywords, timestamps, locations and records of videos watched or downloaded, and possibly search histories as well. A small sample shared with researchers shows highly sensitive behavioral data tied directly to individual accounts. However, Mixpanel is disputing the origin of the data. After Bleeping Computer published its report, Mixpanel said it found no evidence that the Pornhub data came from its November 2025 breach, which itself was caused by an SMS phishing attack. Mixpanel claims the data was last accessed by a legitimate employee account at Pornhub's parent company in 2023, not exfiltrated during the recent incident. What is confirmed is that Shiny Hunters is behind the extortion campaign. The group has contacted multiple Mixpanel customers demanding payment and has a long track record in 2025, including attacks involving Salesforce Integrations, the exploit, an Oracle EE business suite, zero day and breaches at companies like Gainsight. Shiny Hunters is also developing a new ransomware as a service platform called Shiny SPYD3R, reportedly linked to actors associated with Scattered Spider. This case highlights a growing blind spot in data security. Even when core systems are secure, analytics and telemetry data can quietly become the most sensitive data an organization holds. And if that data leaks, the damage isn't financial theft, it's permanent reputational exposure. And that's our show, my last news show of the year. We will have our weekend Year in Review show with our live panel, but as we wrap up the year, I realize that for many of you the holidays can be, in the words of Charles Dickens, the best of times and the worst of times. It's a time when attackers love to hit, and it's a time when our users are also most vulnerable. Whether it's phishing sites from Amazon or some of the new clever attacks. There were a couple I couldn't even get to in this newscast. Hiding malware and torrent videos is a story I've covered with the new attacks this year, at least so far. The malware hidden in video torrents can evade endpoint detection and response. So that video that your users got from a friend for free can have a huge cost, both personal and corporate. And today I caught a story about how malware was hidden in Kindle books. Fortunately, Amazon has a patch out, so remind those heavy readers that every device needs to be updated. Phones, laptops, even Kindle readers. And I have zero moralizing about pornography if it's consenting adults. But for some people, I could understand, this might make them feel desperate. And as much as we are stressed and I know it's hard, but we need to give a gift at Christmas. The gift of understanding. To let our users and the people we support know that if they get into trouble, we've reminded them Tis the season to be cautious. Tis the season to be patching. But it's also the season to be understanding. As I noted, this is my last regular show until January 5th. We aren't going away. We'll have our weekend show and some specials through the holidays. David or I may even pop in with some updates. If something big happens. I'll be doing some work on our infrastructure. I'm told our server's been taking a pounding and that's why, after so many weeks of working fine, our Google speaker edition has acted up again. And by the way, if this does happen to you and you can't get us on your Google speaker, you can just ask it to play CyberSecurity Today on YouTube Music. We're there. And I'm also hoping we'll have our new news website up and running. No pop ups, no slamming with ads, just easy to read news updates. And we couldn't have done all of this without support from our sponsors. Meteor has been a great supporter and all they've asked is that we tell people they exist and how to find them. As their CEO said to me, I'll leave it with you. You know how to talk to your audience and I will. Meter delivers Full stack networking infrastructure, Wired, wireless and cellular to leading enterprises Working with their partners. Meter Designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. And I'm sure they'd love to give you a demo at meter.com/C S T. That's M E-T-E-R.com CST and one more special thanks to all of you who've listened this year and who've downloaded not just the print version of my book, but also the audio version. Becoming a novelist was a dream come true. And I had another dream come true when I looked the other day and I saw A Tale of Quantum Kisses by Jim Love with the two words beside it. Best seller on audible. I know a lot of you helped me to get there. An audiobook bestseller narrated by me. So there's a double meaning to this today. I'm your host Jim Love, and for some, your narrator. And sincerely, thanks for listening.